Issue 6508 - memberof segmentation fault
Summary: memberof segmentation fault
Status: VERIFIED FIXED
Alias: None
Product: OpenLDAP
Classification: Unclassified
Component: slapd (show other issues)
Version: 2.4.21
Hardware: All All
: --- normal
Target Milestone: ---
Assignee: OpenLDAP project
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2010-04-07 23:58 UTC by ndunbar@llnw.com
Modified: 2014-08-01 21:04 UTC (History)
0 users

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this issue.
Description ndunbar@llnw.com 2010-04-07 23:58:26 UTC
Full_Name: Neil Dunbar
Version: 2.4.21
OS: Debian 5, Ubuntu 9.10
URL: ftp://ftp.openldap.org/incoming/
Submission from: (NULL) (68.142.115.87)


Hi there,

It looks like there's a small bug in memberof.c - it only manifests itself when
"memberof_dangling" is set to "drop". I think that, while the overlay reduces
the a->a_vals and a->a_nvals array by one, to strip out a non-existent DN, it
needs to reduce the a->a_numvals variable as well.

The end result of this is that if one adds a group which has a mix of members
which exist in the DIT, and some which don't, the entry_encode() routing will
segfault. [I can only reproduce the segv in back-bdb and back-hdb. back-ldif
doesn't seem to exhibit this behaviour].

I've uploaded a tiny slapd.conf and test LDIF file (in
ftp://ftp.openldap.org/incoming/memberof-segv-20100407.tar.gz) which is normally
enough to trigger the fault. If one starts up slapd via

slapd -f mof-slapd.conf -h ldap://localhost -d trace

followed by

ldapmodify -x -H ldap://localhost -D cn=admin,dc=test -w adminpw -f
ldif/test-memberof.ldif

one should see an assertion fail in entry_encode() with (i == a->a_numvals)
failing.

The following patch seems to fix it, but I haven't done real regression testing
to see if it rolls other errors. The normal slapd unit tests seem to yield
proper results though.

---8<----8<------
--- memberof.c.orig     2010-04-07 16:49:44.000000000 -0700
+++ memberof.c  2010-04-07 16:49:20.000000000 -0700
@@ -580,6 +580,7 @@
                                                        sizeof( struct berval )
* ( j - i ) );
                                        }
                                        i--;
+                                       a->a_numvals--;
                                }
                        }
---8<----8<------

Hope this helps,

Neil
Comment 1 ando@openldap.org 2010-04-08 15:29:00 UTC
Fixed in HEAD; please check.

a_numvals was added in September 2007 (slap.h 1.831 Fri Sep 21 06:43:56
2007); slapo-memberof.c was first committed in August 2007 (memberof.c 1.1
Fri Aug 24 00:46:58 2007), but developed about one year earlier.  I'm
surprised it survived so long without the a_numvals bit :)

Thanks, p.

Comment 2 ando@openldap.org 2010-04-09 13:55:05 UTC
changed notes
changed state Open to Test
moved from Incoming to Software Bugs
Comment 3 Quanah Gibson-Mount 2010-04-15 13:11:33 UTC
changed notes
changed state Test to Release
Comment 4 Quanah Gibson-Mount 2010-04-29 08:35:00 UTC
changed notes
changed state Release to Closed
Comment 5 OpenLDAP project 2014-08-01 21:04:28 UTC
fixed in HEAD
fixed in RE24